Wednesday, February 21, 2024

Mirai-based DDoS Attackers Aggressively Adopted New Router Exploits

In September 2023, FortiGuard Labs’ vigilant team uncovered a significant development in the IZ1H9 Mirai-based DDoS campaign. 

This campaign, known for its aggressive tactics, had strengthened its arsenal with a formidable array of thirteen exploits, potentially endangering Linux-based systems across various organizations.

The IZ1H9 campaign threatens a wide range of users across any organization that utilizes Linux-based systems. 

Its potential impact is critical, as remote attackers can gain full control of vulnerable systems, effectively turning them into bots under the attacker’s command.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Exploitation Surge

During the team’s observation, it became evident that the IZ1H9 campaign reached its zenith of exploitation on September 6, 2023. 

Trigger counts surged into the thousands, and even tens of thousands, showcasing the campaign’s alarming ability to infiltrate susceptible devices. 

This rapid propagation was achieved by utilizing freshly released exploit code, covering numerous Common Vulnerabilities and Exposures (CVEs).

Exploit Payloads

The campaign’s array of exploit payloads is diverse, targeting various vulnerabilities. 

Notably, four payloads, CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, zero in on D-Link vulnerabilities, enabling remote attackers to execute commands via crafted requests.

Additionally, CVE-2019-19356 targets Netis WF2419, exploiting a Remote Code Execution (RCE) vulnerability through the tracert diagnostic tool due to insufficient user input sanitization.

Exploits discovered in 2021 also play a pivotal role in this campaign, affecting products such as Sunhillo SureLine, Geutebruck IP cameras, and Yealink Device Management.

Further vulnerabilities in Zyxel devices, TP-Link Archer, Korenix JetWave, and TOTOLINK routers are leveraged to expand the campaign’s reach.

Shell Script Downloader

The injected payload aims to download a shell script named “” from a specific URL. 

Once executed, this script conceals its actions by deleting logs and subsequently downloading and executing various bot clients tailored for different Linux architectures. 

It concludes by obstructing network connections on multiple ports by modifying the device’s iptables rules.

Malware Analysis – IZ1H9

IZ1H9, classified as a Mirai variant, specializes in infecting Linux-based networked devices, particularly IoT devices. 

It transforms them into remote-controlled bots, ready for large-scale network attacks. The XOR key used for configuration decoding is revealed as 0xBAADF00D.

Victims initiate communication with a C2 server, and upon receiving commands, compromised devices parse the packet to determine the DDoS attack method, target host, and packet count before launching an attack.

          C2 communication
          C2 communication

This campaign underscores the persistent risk posed by vulnerable IoT devices and Linux servers to remote code execution attacks. 

Despite the availability of patches, the number of exploit triggers remains alarmingly high, exposing systems to potential threats.

The IZ1H9 Campaign’s rapid adaptation to new vulnerabilities is a cause for concern. Once attackers gain control of a vulnerable device, they can integrate it into their botnet, amplifying their capacity for attacks, including DDoS and brute-force attacks.

DDoS attacking methods
            DDoS attacking methods

Organizations are urged to promptly apply patches and change default login credentials for devices to mitigate this threat effectively.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...

New Mingo Malware Attacking Linux Redis Servers To Mine Cryptocurrency

The malware, termed Migo by the creators, attempts to infiltrate Redis servers to mine cryptocurrency on...

Security Onion 2.4.50 Released for Defenders With New Features

Security Onion Solutions has recently rolled out the latest version of its network security...

VMware Urges to Remove Enhanced EAP Plugin to Stop Auth & Session Hijack Attacks

VMware has issued an urgent advisory to administrators to remove a deprecated authentication plugin...

LockBit Ransomware Members Charged by Authorities, Free Decryptor Released

In a significant blow to one of the most prolific ransomware operations, authorities from...

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles